Mark, On 2/21/13 8:34 AM, Mark Thomas wrote: > JRE JARs. > I think scanning of these should be made optional and disabled by > default. This will reduce the list of JARs we have to maintain in > jarsToSkip. I intend to implement this unless there are any objections.
+1 Will you be checking the ClassLoader to determine whether this is a JRE JAR or not? Does this apply to the JRE's "endorsed" JARs as well? White-listing will still work to enable individual JARs in these locations, right? > jarsToScan > This is a little more complicated. > First of all, how does it work? The suggestion is: > - If jarsToScan matches, scan it > - else if jarsToSkip matches, skip it > - else scan it +1 > Assuming that the above is acceptable, it would require the following: > a) three new system properties > tomcat.util.scan.DefaultJarScanner.jarsToScan > org.apache.catalina.startup.ContextConfig.jarsToScan > org.apache.catalina.startup.TldConfig.jarsToScan -1 for the global-ness of these settings. > b) add a parameter to JarScanner.scan() > > There are a couple of issues here. > 2. (and an issue with the current code [1]). These settings are all > global rather than per web application. I would prefer that they were > per web application with defaults configured globally. It is complicated > by the fact that the JARs to skip/scan may vary depending on how the > JarScanner is used. I would prefer to be able to set this stuff on a per-context basis. How much of this configuration could be configured with a <Scanner>? -chris
signature.asc
Description: OpenPGP digital signature
